Describe the bug
Self-signed certificates generated without the Subject Alternative Name (SAN) attribute are not validated by the Python requests library. This is due to stricter requirements in certificate verification.
Moreover, the requests library relies on certifi for trusted CAs, which means it does not trust self-signed certificates by default.
The requests library can be configured to use the local certificate store by setting
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt. But, this need to be done in the supervisor's systemd config to make all supervisor services trust the self-signed certificate.
[Service]
Environment=REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
We should update the role to do the following:
- Add SAN attribute in the when generating self-signed certificate
- Add the self-signed certificate to the local store (copy the certificate to /usr/local/share/ca-certificate/wireguard_updater.crt and run update-ca-certificates)
- Update the supervisor's systemd setting, such that all supervisor processes trust this self-signed certificate.
P.S.: Let's double check the requirements before proceeding with the change
Describe the bug
Self-signed certificates generated without the Subject Alternative Name (SAN) attribute are not validated by the Python requests library. This is due to stricter requirements in certificate verification.
Moreover, the requests library relies on certifi for trusted CAs, which means it does not trust self-signed certificates by default.
The requests library can be configured to use the local certificate store by setting
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt. But, this need to be done in the supervisor's systemd config to make all supervisor services trust the self-signed certificate.We should update the role to do the following:
P.S.: Let's double check the requirements before proceeding with the change